Where is the OCR?

EDITOR’S NOTE: This article was prepared with the assistance of artificial intelligence (AI). It was then edited by a human being.

Recent articles have described a significant 2026 dispute over the misuse of health information exchanged by asserting a treatment purpose through the Carequality health information network.

The core allegation is that companies used Carequality, Health Gorilla, and several of its clients under the pretense of treatment-related access, but instead obtained patient records for non-treatment purposes, such as sharing them with law firms seeking potential plaintiffs for litigation. Epic and several provider organizations – including OCHIN, Reid Health, Trinity Health, and UMass Memorial Health – then sued Health Gorilla and several related entities, alleging improper access to roughly 300,000 patient records from the Epic community, plus an unknown number from other organizations, including the federal Veterans Affairs (VA) system and other providers using other electronic health records (EHRs).

The lawsuit was filed in January. According to Steve Alder, “the lawsuit alleges that certain Health Gorilla clients are turning nationwide interoperability frameworks into data marts, where sensitive patient data can be bought and sold without patients’ or physicians’ knowledge or consent, including patient data stored in Epic’s interoperability framework. The lawsuit alleges that Health Gorilla clients have been abusing access to patient data for financial gain.”

In Health Gorilla’s case, it appears that they control the framework to allow who can access the framework.

Together, the plaintiff organizations allege that Health Gorilla and a network of companies set up fictitious healthcare providers, shell websites, and fake provider IDs to make it look like records requests were legitimately for patient care purposes.

These major exchange frameworks support large-scale sharing of health records for treatment and care coordination. Participation in the frameworks depends heavily on trust: organizations must represent that they are requesting records for legitimate purposes and comply with the Health Insurance Portability and Accountability Act (HIPAA) and related state and federal requirements. The lawsuit argues that this trust was exploited by entities that allegedly misrepresented who they were and why they wanted access.

Several companies have been identified as allegedly accessing the patient data for non-treatment purposes, including the following:

• RavillaMed, a chronic condition management firm: evidence supplied did not demonstrate patient treatment;
• Critical Care Nurse Consulting: this entity had an affiliation with law firms, and once concerns were raised, they ceased accessing records;
• SelfRx, another firm onboarded by Health Gorilla, accessed large volumes of records; and
• Particle Health was banned by Carequality, but its former CEO started Mammoth, which then gained access through Health Gorilla. Additionally, Particle Health filed an antitrust lawsuit against Epic Systems, alleging it is using its market dominance to illegally block access to health records.
• The Texas attorney general is also going after Epic, alleging, among several things, anticompetitive business practices, including restricting parental access to children’s medical records.

At least initially, all of the Health Gorilla clients denied any wrongdoing. However, a major development arose when GuardDog Telehealth, one of the defendants, entered into a stipulated judgment with Epic and the co-plaintiffs. In that filing, GuardDog admitted that although its stated goal had been to provide chronic care management and remote patient monitoring, that “did not happen.” Instead, it acknowledged that its business focused on “requesting, reviewing, and summarizing medical records” and providing those records to law firms. It also admitted that it obtained records through Carequality by asserting a treatment purpose. Under the proposed judgment, GuardDog would be permanently barred from requesting records through the Trusted Exchange Framework and Common Agreement (TEFCA) or Carequality, required to delete any patient information obtained through those frameworks, and prohibited from any further use or dissemination of that information.

The GuardDog admission is important for two reasons. First, it validates at least part of the plaintiffs’ theory that interoperability channels can be exploited when organizations rely too heavily on representations of treatment purposes. Second, it raises broader governance questions for health information exchange participants, EHR vendors, and provider organizations. The case suggests that technical interoperability alone is not enough. Robust onboarding, verification, monitoring, and response mechanisms are equally important. If one participant can gain access under false pretenses, the damage can extend well beyond privacy.

A recent MedCity News article notes that Epic’s complaint also alleged that “junk” data was inserted into records to make the activity appear legitimate, which could waste clinician time and potentially create patient safety risks.

At the same time, the litigation remains contested. It appears from the various published articles on this case that Health Gorilla did no vetting of entities requesting access to the patient data. However, Health Gorilla has denied wrongdoing, arguing that the GuardDog judgment does not establish liability on Health Gorilla’s part.

According to Health Gorilla, GuardDog did not tell it about any non-treatment use, and when Health Gorilla and others tried to investigate, GuardDog allegedly failed to cooperate. Health Gorilla has also framed Epic’s broader lawsuit as an “attack on interoperability” that could threaten efficient data exchange and patient safety if it chills appropriate participation in national exchange frameworks. A hearing on Health Gorilla’s motion to dismiss was reported as set for April 23.

Taken together, the articles point to a central tension in modern health information exchange. The healthcare industry wants faster, broader, more seamless data-sharing to improve coordination, reduce duplication of efforts, and support patient care. But the same infrastructure can be misused if governance controls are weak, or if participants misrepresent their role and purpose. The GuardDog admission does not resolve the full case, but it does underscore a key lesson: interoperability without strong trust controls can expose patients, providers, and others that participate in Carequality, TEFCA, or similar exchange frameworks to peril. As such, each organization should revisit how they vet participants, validate treatment purposes, monitor access patterns, investigate unusual behavior, and respond when concerns emerge. They should also recognize that information governance is now inseparable from interoperability strategy. The value of nationwide exchange depends not just on connectivity, but on enforceable accountability.

But the real question is: where is the Office for Civil Rights (OCR)? An alleged 300,000 patient records were inappropriately accessed. According to Jack Troy, UPMC reported the incident to the U.S. Department of Health and Human Services (HHS). I reviewed the OCR breach list of 500+ cases, but did not see any report by any of the plaintiffs; however, it only reflected cases through February. The other issue is that a health information exchange (HIE) is not a health plan, healthcare payor, or clearinghouse. Therefore, the HIE is not a covered entity. Covered entities have their own set of rules to follow under HIPAA. There are many issues that have surfaced from this case, and we’re certain to see changes to HIPAA and organization privacy practices going forward. 

Stay tuned.

Sources:

Katie Adam. “Why the Epic-Health Gorilla Case Just Got Juicier.”  MedCity News. Accessed March 16, 2026. https://medcitynews.com/2026/03/epic-health-gorilla-lawsuit-data/.

Steve Alder. “Epic Sues Health Information Exchange Network Over Improper Record Access.” HIPAA Journal. Accessed March 17, 2026. https://www.hipaajournal.com/epic-sues-health-information-exchange-network-improper-record-access/.

Heather Landi. “GuardDog Telehealth, Epic Reach Agreement in Ongoing Fraud Lawsuit Over Health Records.” Fierce Healthcare. Accessed March 17, 2026. https://www.fiercehealthcare.com/health-tech/guarddog-telehealth-epic-reach-agreement-ongoing-fraud-lawsuit-over-health-records.

David Raths. “In Stipulated Judgment, GuardDog Telehealth Admits Providing Patient Records to Law Firms.” Healthcare Innovation. Accessed March 17, 2026. https://www.hcinnovationgroup.com/interoperability-hie/trusted-exchange-framework-and-common-agreement-tefca/news/55364033/in-stipulated-judgment-guarddog-telehealth-admits-providing-patient-records-to-law-firms.

Jack Troy. “UPMC warns embattled data exchange Health Gorilla may have improperly pulled patient records.” TribLive. Accessed March 21, 2026. UPMC warns embattled data exchange Health Gorilla may have improperly pulled patient records.

Legal Filing:  https://www.epic.com/content/stipulation-re-judgment-and-permanent-injunction.pdf;  Epic Systems Corporation; OCHIN, Inc.; Reid Hospital & Health Care Services, Inc. d/b/a Reid Health; Trinity Health Corporation; and UMass Memorial Health Care, Inc., Plaintiffs, v. Health Gorilla, Inc.; RavillaMed PLLC; Avinash Ravilla; Shere Saidon; LlamaLab, Inc.; Unique Medi Tech LLC, d/b/a Mammoth Dx; Mammoth Path Solution, LLC; Mammoth Rx, Inc.; Ryan Hilton; Daniel Baker; Max Toovey; Unit 387 LLC; SelfRx, LLC d/b/a Myself.Health; Critical Care Nurse Consultants, LLC d/b/a GuardDog Telehealth; Hoppr, LLC; Meredith Manak, and DOES 1-100, Defendants. Case No. 2:26-cv-00321-FMO-RAO